npm - @zereight/mcp-gitlab - Versions diffs - 2.0.32 → 2.0.34 - Mend

@zereight/mcp-gitlab 2.0.32 → 2.0.34

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +12 -1
package/build/gitlab-client-pool.js +108 -6
package/build/index.js +274 -64
package/build/oauth.js +11 -6
package/build/schemas.js +69 -0
package/build/test/no-proxy-integration-test.js +183 -0
package/build/test/no-proxy-test.js +138 -0
package/build/test/remote-auth-simple-test.js +12 -1
package/build/test/test-geteffectiveprojectid.js +236 -0
package/build/test/test-upload-markdown.js +148 -0
package/build/test/utils/mock-gitlab-server.js +5 -1
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -336,7 +336,7 @@ docker run -i --rm \
 - `GITLAB_OAUTH_REDIRECT_URI`: The OAuth callback URL. Default: `http://127.0.0.1:8888/callback`
 - `GITLAB_OAUTH_TOKEN_PATH`: Custom path to store the OAuth token. Default: `~/.gitlab-mcp-token.json`
 - `REMOTE_AUTHORIZATION`: When set to 'true', enables remote per-session authorization via HTTP headers. In this mode:
-  - The server accepts GitLab PAT tokens from HTTP headers (`Authorization: Bearer <token>` or `Private-Token: <token>`) on a per-session basis
+  - The server accepts GitLab PAT tokens from HTTP headers (`Authorization: Bearer <token>`, `Private-Token: <token>` or `Job-Token: <token>`) on a per-session basis
   - `GITLAB_PERSONAL_ACCESS_TOKEN` environment variable is **not required** and ignored
   - Only works with **Streamable HTTP transport** (`STREAMABLE_HTTP=true`) because session management was already handled by the transport layer
   - **SSE transport is disabled** - attempting to use SSE with remote authorization will cause the server to exit with an error
@@ -400,6 +400,7 @@ docker run -i --rm \
 - `SSE`: When set to 'true', enables the Server-Sent Events transport.
 - `STREAMABLE_HTTP`: When set to 'true', enables the Streamable HTTP transport. If both **SSE** and **STREAMABLE_HTTP** are set to 'true', the server will prioritize Streamable HTTP over SSE transport.
 - `GITLAB_COMMIT_FILES_PER_PAGE`: The number of files per page that GitLab returns for commit diffs. This value should match the server-side GitLab setting. Adjust this if your GitLab instance uses a custom per-page value for commit diffs.
+- `GITLAB_REPO_FILE_ENCODING`: Encoding for repository file create/update and related commit payloads sent to the GitLab API. Use `text` (default) or `base64`. Equivalent CLI: `--repo-file-encoding=text|base64`.
 #### Performance & Security Configuration
@@ -407,6 +408,16 @@ docker run -i --rm \
 - `MAX_SESSIONS`: Maximum number of concurrent sessions allowed. Default: `1000`. Valid range: 1-10000. When limit is reached, new connections are rejected with HTTP 503.
 - `MAX_REQUESTS_PER_MINUTE`: Rate limit per session in requests per minute. Default: `60`. Valid range: 1-1000. Exceeded requests return HTTP 429.
 - `PORT`: Server port. Default: `3002`. Valid range: 1-65535.
+- `HTTP_PROXY`: HTTP proxy server URL for outgoing requests. Example: `http://proxy.example.com:8080`. Supports HTTP/HTTPS and SOCKS proxies (URLs starting with `socks://` or `socks5://`). CLI arg: `--http-proxy`
+- `HTTPS_PROXY`: HTTPS proxy server URL for outgoing requests. Example: `https://proxy.example.com:8080`. Supports HTTP/HTTPS and SOCKS proxies. CLI arg: `--https-proxy`
+- `NO_PROXY`: Comma-separated list of hosts that should bypass the proxy. Supports:
+  - Exact hostname matches (e.g., `localhost`, `gitlab.internal.com`)
+  - Domain suffix matches (e.g., `.internal.com` matches any subdomain)
+  - IP addresses (e.g., `127.0.0.1`, `192.168.1.1`)
+  - Port-specific matches (e.g., `example.com:443`)
+  - Wildcard `*` to bypass proxy for all hosts
+  - Example: `NO_PROXY=localhost,127.0.0.1,.internal.com`
+  - CLI arg: `--no-proxy`
 #### Monitoring Endpoints

package/build/gitlab-client-pool.js CHANGED Viewed

@@ -4,6 +4,64 @@ import { HttpProxyAgent } from "http-proxy-agent";
 import { HttpsProxyAgent } from "https-proxy-agent";
 import { SocksProxyAgent } from "socks-proxy-agent";
 import fs from "fs";
+/**
+ * Checks if a URL should bypass the proxy based on NO_PROXY patterns.
+ * Supports:
+ * - Exact hostname matches (e.g., "localhost", "gitlab.example.com")
+ * - Domain suffix matches (e.g., ".example.com" matches "gitlab.example.com")
+ * - IP addresses (e.g., "127.0.0.1", "192.168.1.1")
+ * - Wildcard "*" to bypass all proxies
+ * - Port-specific matches (e.g., "example.com:8080")
+ *
+ * @param url The URL to check
+ * @param noProxy Comma-separated list of patterns from NO_PROXY
+ * @returns true if the URL should bypass the proxy, false otherwise
+ */
+function shouldBypassProxy(url, noProxy) {
+    if (!noProxy) {
+        return false;
+    }
+    // Parse URL to get hostname and port
+    let hostname;
+    let port;
+    let protocol;
+    try {
+        const parsedUrl = new URL(url);
+        hostname = parsedUrl.hostname.toLowerCase();
+        protocol = parsedUrl.protocol;
+        // Use explicit port if provided, otherwise use default port based on protocol
+        port = parsedUrl.port || (protocol === 'https:' ? '443' : '80');
+    }
+    catch {
+        return false;
+    }
+    // Split NO_PROXY into patterns and trim whitespace
+    const patterns = noProxy.split(',').map(p => p.trim().toLowerCase()).filter(p => p.length > 0);
+    for (const pattern of patterns) {
+        // Wildcard matches everything
+        if (pattern === '*') {
+            return true;
+        }
+        // Handle port-specific patterns (e.g., "example.com:8080")
+        const [patternHost, patternPort] = pattern.split(':');
+        // If pattern specifies a port, check if it matches
+        if (patternPort && port !== patternPort) {
+            continue;
+        }
+        // Check for domain suffix match (e.g., ".example.com")
+        if (patternHost.startsWith('.')) {
+            const suffix = patternHost.substring(1);
+            if (hostname === suffix || hostname.endsWith('.' + suffix)) {
+                return true;
+            }
+        }
+        // Check for exact hostname match
+        else if (hostname === patternHost) {
+            return true;
+        }
+    }
+    return false;
+}
 /**
  * Manages a pool of HTTP/HTTPS agents for different GitLab API URLs.
  * This allows the server to efficiently handle requests to multiple GitLab instances
@@ -23,7 +81,7 @@ export class GitLabClientPool {
      * @returns A `ClientAgents` object containing the configured agents.
      */
     createAgentsForUrl(apiUrl) {
-        const { httpProxy, httpsProxy, rejectUnauthorized, caCertPath } = this.options;
+        const { httpProxy, httpsProxy, noProxy, rejectUnauthorized, caCertPath } = this.options;
         const url = new URL(apiUrl);
         let sslOptions = {};
         if (rejectUnauthorized === false) {
@@ -38,10 +96,12 @@ export class GitLabClientPool {
                 throw new Error(`Failed to read CA certificate: ${caCertPath}`);
             }
         }
+        // Check if this URL should bypass the proxy
+        const bypassProxy = shouldBypassProxy(apiUrl, noProxy);
         let httpAgent;
         let httpsAgent;
-        // Configure HTTP agent with proxy if specified
-        if (httpProxy) {
+        // Configure HTTP agent with proxy if specified and not bypassed
+        if (httpProxy && !bypassProxy) {
             httpAgent = httpProxy.startsWith("socks")
                 ? new SocksProxyAgent(httpProxy)
                 : new HttpProxyAgent(httpProxy);
@@ -49,8 +109,8 @@ export class GitLabClientPool {
         else {
             httpAgent = new Agent({ keepAlive: true });
         }
-        // Configure HTTPS agent with proxy and SSL options if specified
-        if (httpsProxy) {
+        // Configure HTTPS agent with proxy and SSL options if specified and not bypassed
+        if (httpsProxy && !bypassProxy) {
             httpsAgent = httpsProxy.startsWith("socks")
                 // The `as any` cast is used here to bypass a TypeScript type mismatch error.
                 // The `socks-proxy-agent` documentation indicates that TLS options like
@@ -72,6 +132,31 @@ export class GitLabClientPool {
      * @returns The corresponding `Agent` for the URL's protocol.
      */
     getOrCreateAgentForUrl(apiUrl) {
+        const agents = this.getOrCreateAgentsForUrl(apiUrl);
+        const url = new URL(apiUrl);
+        return url.protocol === "https:" ? agents.httpsAgent : agents.httpAgent;
+    }
+    /**
+     * Returns an agent-selection function for use with node-fetch's `agent` option.
+     * The returned function picks the correct HTTP or HTTPS agent based on the
+     * request URL's protocol. This is critical for self-hosted GitLab instances
+     * where the server may redirect between HTTP and HTTPS (e.g., when
+     * `external_url` differs from the actual internal protocol).
+     * @param apiUrl The base API URL used to look up or create the agent pair.
+     * @returns A function `(parsedURL: URL) => Agent` suitable for node-fetch.
+     */
+    getAgentFunctionForUrl(apiUrl) {
+        const agents = this.getOrCreateAgentsForUrl(apiUrl);
+        return (parsedURL) => {
+            return parsedURL.protocol === "https:" ? agents.httpsAgent : agents.httpAgent;
+        };
+    }
+    /**
+     * Ensures agents exist for the given API URL and returns the pair.
+     * @param apiUrl The full URL of the request.
+     * @returns The `ClientAgents` (both HTTP and HTTPS agents) for the URL.
+     */
+    getOrCreateAgentsForUrl(apiUrl) {
         const url = new URL(apiUrl);
         const baseUrl = `${url.protocol}//${url.host}${url.pathname.substring(0, url.pathname.lastIndexOf('/api/v4') + '/api/v4'.length)}`;
         if (!this.clients.has(baseUrl)) {
@@ -86,7 +171,7 @@ export class GitLabClientPool {
             // This should not happen given the logic above, but it satisfies TypeScript
             throw new Error(`Failed to create or get client for URL: ${baseUrl}`);
         }
-        return url.protocol === "https:" ? agents.httpsAgent : agents.httpAgent;
+        return agents;
     }
     /**
      * Retrieves the client agents for a specific base API URL.
@@ -110,4 +195,21 @@ export class GitLabClientPool {
         }
         return this.clients.get(defaultUrl);
     }
+    /**
+     * Destroy all pooled agents and clear pool state.
+     * This should be called on graceful shutdown so sockets are closed
+     * and the process can exit cleanly.
+     */
+    closeAll() {
+        for (const [, agents] of this.clients) {
+            const destroyIfSupported = (agent) => {
+                if (agent && typeof agent.destroy === "function") {
+                    agent.destroy();
+                }
+            };
+            destroyIfSupported(agents.httpAgent);
+            destroyIfSupported(agents.httpsAgent);
+        }
+        this.clients.clear();
+    }
 }